PyPi Malware Supply Using Identical Package Name

Table of Contents

1. Introduction

   • Overview of the PyPi Supply Chain Attack
   • Threat Actor Profile: “Lolip0p”

2. Attack Details

   • Timeline of Events
   • Malicious Package Names and Descriptions

3. Technical Analysis

   • Malicious Code in setup.py
   • Execution Flow and Obfuscation Techniques
   • Detailed Behavior of Oxzy.exe and update.exe
   • Role of SearchProtocolHost.exe in Persistence

4. Impact and Implications

   • Potential Risks to Developers and Organizations
   • Broader Implications for Open-Source Security

5. Detection and Prevention

   • Detection Techniques Using DNIF
   • Recommended Security Measures
     • Verifying Source and Author
     • Inspecting Package Scripts
     • File Integrity Monitoring

6. Conclusion

   • Summary of Key Findings
   • Importance of Vigilance in Open-Source Package Usage

7. Appendices

   • File Hashes and Metadata of Malicious Files
   • References and Resources

In early January 2023, a malicious actor using the pseudonym “Lolip0p” launched a covert attack on the Python Package Index (PyPi) by uploading three fake packages under the names ‘libhttps,’ ‘httpslib,’ and ‘colorslib’. These names closely mirrored legitimate packages on PyPi, one of the primary sources for Python developers to access and manage external libraries. Between January 7 and January 12, these fraudulent packages went live, drawing in unsuspecting developers seeking to use popular packages with authentic-sounding names.

To appear legitimate and avoid raising suspicions, “Lolip0p” crafted convincing project descriptions and kept the feature lists concise, mirroring the styles often seen in genuine PyPi listings. This strategic move made it challenging for developers to detect any red flags while browsing through the library. As a result, by the time PyPi detected and removed the packages on January 14, they had already been downloaded over five hundred times.

This incident is a crucial reminder for developers to remain vigilant, even on trusted repositories like PyPi, as cyber attackers continue to employ sophisticated techniques to infiltrate widely used systems. Although the malicious packages are no longer available, the “Lolip0p” incident underscores the importance of verifying package authenticity and staying informed on best practices for secure coding environments.

The recent PyPi breach orchestrated by an attacker known as “Lolip0p” involved more than just cleverly named packages; it showcased a sophisticated approach to delivering malware to unsuspecting users. Each of the three fake packages—‘libhttps,’ ‘httpslib,’ and ‘colorslib’—contained modified scripts hidden in their setup.py installer files, which, upon inspection, revealed a deeply malicious intent.

The setup.py file is typically an innocuous script used for installing package dependencies. However, in this case, Lolip0p embedded a command that triggered a subprocess to open PowerShell and download a hidden malware file named Oxzy.exe. Once downloaded, the script promptly renamed it to WindowsCache.exe, adding another layer of stealth to avoid detection by antivirus software. Using the Invoke-Expression command in PowerShell, the malware then executed, launching a dangerous program designed to steal sensitive information from the user’s browser.

This cleverly hidden malware underscores the growing sophistication of supply chain attacks, where hackers target commonly used software repositories. By slipping malware into repositories like PyPi, attackers aim to reach a broad audience of developers. In this case, the malware had a specific focus on browser information theft, likely targeting stored credentials, cookies, and browsing history.

For developers and organizations, this incident emphasizes the need for rigorous code inspection, even within trusted libraries. Here are a few tips to stay safe when downloading Python packages:

1. Verify Source and Author: Check package names and authors for authenticity.
2. Inspect Scripts: Reviewing the setup.py file, especially when working with lesser-known packages, can reveal hidden scripts.
3. Stay Informed: Following cybersecurity alerts helps catch emerging threats before they affect your environment.

The “Lolip0p” incident serves as a stark reminder of the ongoing cybersecurity risks within open-source ecosystems. By adopting a cautious approach, developers can better protect their projects and systems against similar malicious threats.

https://www.figma.com/design/3W67uAtZyiv4PJQNjwfHue/Hubspot-Log-Management-landing-page?node-id=1-7&t=LFvPtM22C4WI5jfc-1https://www.figma.com/design/3W67uAtZyiv4PJQNjwfHue/Hubspot-Log-Management-landing-page?node-id=1-7&t=LFvPtM22C4WI5jfc-1https://www.figma.com/design/3W67uAtZyiv4PJQNjwfHue/Hubspot-Log-Management-landing-page?node-id=1-7&t=LFvPtM22C4WI5jfc-1https://www.figma.com/design/3W67uAtZyiv4PJQNjwfHue/Hubspot-Log-Management-landing-page?node-id=1-7&t=LFvPtM22C4WI5jfc-1

Trojan malware often acts as a hidden entry point for attackers, allowing them to access sensitive user data, execute remote commands, and even grant persistent backdoor access. This makes it a dangerous addition to any system, capable of compromising personal and organizational security. With update.exe installed, the attacker gains a foothold on the infected machine, potentially leading to data theft, remote monitoring, and further propagation of malicious software.

This incident underscores the layered complexity of modern malware attacks and highlights the importance of several proactive security measures:

1. Antivirus Solutions: Regularly updating antivirus software can help detect known Trojan files and prevent further infection.
2. Monitoring Temp Folders: Keeping an eye on files created within the temporary folder can be a useful tactic, as malware often uses this location to disguise its activity.
3. Audit Third-Party Packages: Employing tools to verify the integrity of downloaded packages can prevent inadvertent malware downloads.

The “Lolip0p” attack is a potent reminder of the ongoing threats in the software supply chain, particularly in widely used repositories like PyPi. Developers and users alike should take extra steps to verify the authenticity of packages and stay vigilant for signs of malware intrusion.

In a recent PyPi supply chain attack, a malicious package by the pseudonymous “Lolip0p” demonstrated advanced techniques for persistence and stealth. A key component of this malware operation is the update.exe executable, which follows a structured process for creating and storing additional files during execution. Here’s a deep dive into the technical workings of this second-stage payload.

Upon execution, update.exe initiates a series of actions that create new files within a dynamically named folder located in the Windows temporary directory:

Path of Folder Creation:
%USER%\AppData\Local\Temp\onefile_%PID_%TIME%

In this path:

• PID represents the Process ID assigned to the update.exe instance by the operating system.
• TIME is an EPOCH timestamp marking the precise time the binary was executed.
  
  

Breaking Down the Folder Naming Convention

The use of both the PID and EPOCH timestamp in the folder name helps the malware remain obscure and distinct from other processes. Let’s look at the components in more detail:

1. Process ID (PID): The PID is a unique identifier for the specific instance of update.exe during execution. Using this identifier helps prevent conflicts with other instances of the malware, should multiple processes be running simultaneously.
2. EPOCH Timestamp (TIME): The EPOCH timestamp provides an exact time reference down to the second, serving as a digital signature of when the process was initiated. This timestamp can help track the malware’s operational timeline and is critical in forensic analysis.
   
   

Why This Naming Scheme?

This naming convention serves multiple purposes:

• Evasion of Detection: By naming folders uniquely for each process instance and time, the malware avoids generating suspiciously consistent or repetitive folder names, reducing the likelihood of detection.
• Efficient Tracking: Using the PID and timestamp, the malware can track specific executions, ensuring each run maintains its own data trail without overwriting or conflicting with previous files.
• Obfuscation for Forensics: This unique structure complicates forensic investigation, as security teams must analyze each unique folder independently.
  
  

Security Implications and Best Practices

For IT teams and cybersecurity professionals, understanding these behaviors can aid in detection and mitigation:

• Monitor Temporary Directories: Regularly auditing %AppData% for unusual folders named with process IDs or EPOCH timestamps can be a red flag.
• Analyze Process Execution Patterns: Tracking when and how processes like update.exe create files can reveal suspicious activity.
• Deploy File Integrity Monitoring (FIM): FIM tools can alert administrators to unauthorized file creations and modifications, making it easier to spot potential threats.

This targeted attack shows how malicious actors leverage dynamic file creation and naming schemes to achieve persistence, evasion, and stealth. By understanding these mechanisms, security teams can better defend against similar threats in the software supply chain.

Inside the “Lolip0p” Attack: The Malicious Role of `SearchProtocolHost.exe`

As part of the advanced tactics in the recent “Lolip0p” supply chain attack, one specific file, **`SearchProtocolHost.exe`**, plays a significant role. This executable is one of several files created by the secondary payload `update.exe`, and it has been flagged as malicious by multiple antivirus vendors due to its suspicious behavior and potential for harm. Here, we’ll explore the technical characteristics and implications of `SearchProtocolHost.exe` in this attack.

What is `SearchProtocolHost.exe`?

In legitimate Windows environments, `SearchProtocolHost.exe` is a known process responsible for indexing and managing local file searches. However, in this malware instance, the file is a **counterfeit** version, likely designed to mimic the legitimate Windows file to avoid suspicion.

Why `SearchProtocolHost.exe` Raises Red Flags

Several antivirus programs have flagged `SearchProtocolHost.exe` because of its unique and harmful properties:

1. Impersonation of System Files: By using a familiar name associated with Windows search indexing, the malware seeks to evade detection, as many users and security tools may overlook it, mistaking it for a legitimate system process.
2. Malicious Payload: This counterfeit version of `SearchProtocolHost.exe` is engineered to execute harmful commands, potentially ranging from data exfiltration to downloading additional malware components, depending on its coded instructions.
3. Persistence Tactics: The file’s association with `update.exe` means it is automatically generated during each malware execution cycle, further complicating removal. Even if discovered and deleted, a re-execution of `update.exe` could easily replace it.

 Technical Behavior of `SearchProtocolHost.exe`

While each variant may behave differently, here’s an outline of potential actions attributed to the malicious `SearchProtocolHost.exe`:

- Data Exfiltration: The file can scan local files and directories, siphoning sensitive data back to the attacker’s server.

- Command and Control Communication: It may connect to external servers, receiving instructions for further malicious actions.

- Keylogging and Credential Harvesting: As with many Trojan executables, it may be programmed to capture keystrokes or access stored credentials.

Security Implications and Recommendations

The creation and deployment of `SearchProtocolHost.exe` exemplify how sophisticated threat actors exploit trusted file names to deceive users and avoid detection. To mitigate the risks posed by similar threats, consider the following best practices:

1. Monitor Executable Names: Be cautious of executable files with familiar names in unusual locations or unexpected contexts. Known system executables like `SearchProtocolHost.exe` should only be found in designated Windows directories.
2. Employ Application Whitelisting: Limit executable files to known, trusted applications to prevent unknown executables from launching, especially in temporary or non-standard directories.
3. Conduct Regular File Audits: Implement automated tools to scan for unauthorized or unexpected files, especially in critical areas like `%AppData%\Local\Temp\`.

The progression flow is illustrated in the below diagram.

Detection

DNIF is capable of detecting the execution trace of file hashes and reported filenames as Indicator of compromise (IOC) using the pivot field checking in real time. 

With the integration of : 

• Sysmon (Event-ID: 1) logs to match the IOC of file-hash will detect the trojan on its execution stage.
• Proxy Logs are also helpful in detecting a download file of binary (.exe) with known filename IOC match.

Conclusion

The findings again cautioned us that attackers and threat adversaries are using the stream of open-source package providers and taking the advantage of trusted relationships to amplify the distribution of their malware and make trusted providers a carrier.

At this stage calling it a “supply-chain” or an “exploit” is not fully correct as attack takes “Google SEO (Search Engine Optimization) squatting i.e. a kind of Typo-Squatting attack” to misguide a user on a malicious package link with an identical misspelled package name. 

The users are strongly advised to exercise caution while downloading the packages from untrusted sources and authors to prevent themselves from such attacks.